Network access control is ready for deployment. Action plan: Move slowly so as not to disrupt the business with sudden tight controls.

Our main goal with NAC is to restrict the access of unauthorized devices to certain segments of our corporate network. Several times, noncorporate devices connected to our corporate network introduced malware or were found to contain some of our intellectual property. We have a corporate policy that prohibits the use of personal devices on our network, but without NAC, we couldn't effectively enforce it.

With the initial deployment, we're focusing on end-user access points: the wired ports and wireless hubs in our offices, as well as the VPN. These are a higher priority than securing our production server networks and the engineering and test-and-development network segments in the data center. We'll get to those later.

We chose a NAC tool with a centralized management console that monitors every switch port on the VLANs serving our 50-plus offices around the world. With such far-flung facilities, this is more cost-effective than installing appliances at every location.

I'm sure you know how NAC works. Any device that connects to a switch port or authenticates to the network via 802.1x is interrogated before it is granted network access. Most of our authorized devices are Windows PCs. If a PC is seeking access, we first want to determine if it is a member of our domain. Next, we check that it's running our systems management software. For now, we're assuming that any PC that passes that test is up to date with patches and endpoint protection. Eventually, we might directly interrogate the device about those things, but for now we're going to be satisfied with this. PCs with the systems management software will be allowed to connect to the corporate network. Others will be halted and given some options: install the required software, be placed on a segmented network to facilitate that, or be given access to our guest network for limited Internet access.

In practice, this means that if a PC is a domain member but isn't running the systems management software, we may elect to install the software. On the other hand, if a PC is not a domain member (for example, one that has been brought in from home or by a vendor's rep) but is up to date with patches and is running an antivirus client, we may decide to grant access to the guest network. That option would still give a vendor's rep access to the Internet in order to provide product demos.

Other Devices

We have a few corporate-sanctioned Linux machines and Macs. To control their access to the corporate network, we could install a NAC agent on each device, create exceptions by registering the devices' MAC addresses or obtain each device's SSH key so that the NAC tool can interrogate the device. As for iPads, iPhones and Android mobile devices, they will be routed to the guest network unless they connect via a VPN client.

At this point in our NAC deployment, we're only monitoring the activity and not actually enforcing network lockouts, so as not to disrupt business activity. It's a good thing, too, since a whole lot of devices are failing to meet even our initial security policy. In initial monitoring, more than 40% of the Windows PCs could not be properly interrogated. Many of them were domain members, but we could not determine if they were running the systems management software. This will have to be looked into, as will the plethora of Linux and Apple devices that are connected to the network but are not corporate owned.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com.

Latest Videos

​Email fraud is nothing new, but online criminals have become ever more-effective at spoofing their identities to trick employees into sending them money. The Australian Centre for Cyber Security (ACSC) recorded losses of over $20M to business email compromise (BEC) attacks last year alone, up 230 percent over the previous year – and the full amount is certain to be much larger.​

No matter how robust your security, or how diligent your employees, network credentials are a free pass for cybercriminals. This is mostly because employees are relied upon for their own password management. And with more than 4.8 billion sets of stolen credentials said to be available online, odds are that at least a few of your employees’ user IDs and passwords are just waiting to be used by unscrupulous outsiders. Are you ready to stop them?

Cyber resilience will be particularly important as Australian organisations face increased pressure to quickly detect, respond to, and manage the repercussions of breaches in the wake of 2018’s Notifiable Data Breaches (NDB) scheme.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.